I use a download manager with my browser and I have found that the predefined FTP Client rules will not suffice in all cases. When I try to download an update from ftp.drweb.com, I receive an ftp-data request from port 20 of the IPaddr associated with the remote site I am trying to download from. This request is blocked since I have no global or application network rule to allow this. If I allow the incoming request, the download will work.
Can someone explain how port 20 comes into play and if it is okay to allow this port for incoming traffic?
That should be an active FTP data legitimate request. If CFP doesn’t allow it on the fly it should be still safe to add that global rule. V3 will block those connections if no app is listening on that port.
I guess this could be filed as a stateful packet inspection bug but I have no clue about how other firewalls handle this.